我是 AWS 新手,但已经尝试到处寻找这个问题,但找不到合适的答案。
我的目标是创建一个 CloudFormation 模板来形成一个新的堆栈,而不假设 AWS Config 已启用。此模板应定义更多项目,其中一个应为 ConfigRule。
为了实现这一点,我发现这个模板这似乎很好,然后尝试从添加一个 ConfigRule这些例子之一,放到同一个模板文件中。但是当我尝试从这个组合模板创建新堆栈时,出现此错误:
您必须先创建配置记录器,然后才能创建或更新配置规则。(服务:AmazonConfig;状态代码:400;错误代码:NoAvailableConfigurationRecorderException
由于模板文件确实定义了一个配置记录器,我不确定它有什么问题。这基本上是链接模板的副本,我用注释标记了添加的位置,只是为了添加一些应作为模板的一部分创建的示例配置规则:
AWSTemplateFormatVersion: 2010-09-09
Description: 'The AWS CloudFormation template creates KMS encryption keys for Config and S3, an encrypted S3 bucket, and enables Config for the account'
# added for configRule - start (1)
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Configuration
Parameters:
- Frequency
ParameterLabels:
Frequency:
default: Frequency
Parameters:
Frequency:
Type: String
Default: 24hours
Description: Maximum rule execution frequency.
AllowedValues:
- 1hour
- 3hours
- 6hours
- 12hours
- 24hours
Mappings:
Settings:
FrequencyMap:
1hour : One_Hour
3hours : Three_Hours
6hours : Six_Hours
12hours : Twelve_Hours
24hours : TwentyFour_Hours
# added for configRule - end (#1)
Resources:
# added for configRule - start (2)
CheckForRootMFA:
Type: AWS::Config::ConfigRule
Properties:
Description: Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in.
MaximumExecutionFrequency: !FindInMap
- Settings
- FrequencyMap
- !Ref Frequency
Source:
Owner: AWS
SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED
# added for configRule - end (2)
# KMS S3 Config Service encryption key
s3configKey:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Version: 2012-10-17
Id: key-s3config
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Join
- ''
- - 'arn:aws:iam::'
- !Ref 'AWS::AccountId'
- ':root'
Action: 'kms:*'
Resource: '*'
s3configKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/s3config
TargetKeyId:
Ref: s3configKey
# Build AWS Config Service S3 Bucket for Storage
AWSConfigS3Bucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
KMSMasterKeyID: !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${s3configKeyAlias}'
SSEAlgorithm: 'aws:kms'
# Build AWS Config Recorder
ConfigRecorder:
Type: 'AWS::Config::ConfigurationRecorder'
Properties:
Name: 'ConfigRecoder'
RecordingGroup:
AllSupported: true
IncludeGlobalResourceTypes: true
RoleARN: !GetAtt
- AWSIAM
- Arn
# Build IAM Role for Config
AWSIAM:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSConfigRole'
Path: /
Policies:
- PolicyName: S3-access
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 's3:PutObject'
Resource: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref AWSConfigS3Bucket
- /AWSLogs/
- !Ref 'AWS::AccountId'
- /*
Condition:
StringLike:
's3:x-amz-acl': bucket-owner-full-control
- Effect: Allow
Action:
- 's3:GetBucketAcl'
Resource: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref AWSConfigS3Bucket
# Create Config Delivery Channel
DeliveryChannel:
Type: 'AWS::Config::DeliveryChannel'
Properties:
S3BucketName: !Ref AWSConfigS3Bucket
Outputs:
S3KMSKeyAlias:
Description: 'S3 KMS Key Alias'
Value:
Ref: 's3configKeyAlias'
AWSIAM:
Description: 'IAM Role for Config'
Value:
Ref: 'AWSIAM'
AWSConfigS3Bucket:
Description: 'Encrypted S3 Bucket for Config Logs'
Value:
Ref: 'AWSConfigS3Bucket'
ConfigRecorder:
Description: 'Config Recorder'
Value:
Ref: 'ConfigRecorder'
DeliveryChannel:
Description: 'Config Delivery Channel'
Value:
Ref: 'DeliveryChannel'
答案1
CloudFormation 通常会计算出组件部署的正确顺序,但有时也会出错。您可以使用 DependsOn 属性给它一个提示,说必须在配置规则之前创建配置记录器。我不能 100% 确定这会有所帮助,但值得一试。
CheckForRootMFA:
DependsOn: ConfigRecorder
Type: AWS::Config::ConfigRule
Properties:
(etc)
查看我自己的配置模板,我可以看到我创建了以下内容
- AWS::Config::ConfigurationRecorder
- AWS::Config::DeliveryChannel
- AWS::SNS::主题
但我实际上并没有创建配置规则,因为我使用 AWS Security Hub 为我创建这些规则。